7632 matches found
CVE-2020-7606
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'execserviceName, cmd, fnStdout, fnStderr, fnExit' uses the variable 'serviceName' which can be controlled by users without any sanitization...
CVE-2020-7604
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this...
CVE-2020-7605
CVE-2020-7605 corresponds to a command-injection flaw in gulp-tape up to version 1.0.0. The vulnerability arises from injecting arbitrary commands via gulp-tape options, enabling potential remote code execution if an attacker can influence those options. Multiple connected sources (Red Hat CVE en...
CVE-2020-7601
CVE-2020-7601 affects gulp-scss-lint up to version 1.0.0. The root cause is command injection through the exec function in src/command.js, allowing an attacker to execute arbitrary commands. Documented impact is remote command execution with high severity (NVD CVSS v3.1 base score 9.8; v2 7.5). M...
libssh: Arbitrary command execution
Background libssh is a multiplatform C library implementing the SSHv2 protocol on client and server side. Description It was discovered that libssh incorrectly handled certain scp commands. Impact A remote attacker could trick a victim into using a specially crafted scp command, possibly resultin...
Updated firefox packages fix security vulnerabilities
Updated firefox packages fix security vulnerabilities: The inputs to sctploadaddressesfrominit are verified by sctparethereunrecognizedparameters; however, the two functions handled parameter bounds differently, resulting in out of bounds reads when parameters are partially outside a chunk...
[ASA-202003-10] okular: arbitrary command execution
Arch Linux Security Advisory ASA-202003-10 ========================================== Severity: Low Date : 2020-03-13 CVE-ID : CVE-2020-9359 Package : okular Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1113 Summary ======= The package okular before...
The vulnerability of the diagnostic script of the microprogramming software for wireless access points in industrial systems, Moxa AWK-3131A, allows a intruder to execute arbitrary commands.
The vulnerability of the diagnostic script of the microprogramming software for wireless access points in Moxa AWK-3131A systems exists due to the lack of measures taken to neutralize the special elements used in the operating system commands. Exploiting this vulnerability allows a malicious acto...
Design/Logic Flaw
Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer...
CVE-2020-6811
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command...
Mozilla Firefox/Firefox ESR Command Injection Vulnerability
Mozilla Firefox is a free, open-source browser for Windows, Linux, and MacOSX. firefox ESR refers to the Extended Support Release of Firefox, which was created by mozilla specifically for organizations that can't or don't want to upgrade their browser every six weeks. A command injection...
CVE-2020-6811
The Mozilla Foundation Security Advisory describes this flaw as: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it...
UBUNTU-CVE-2020-1734
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by...
CVE-2020-1734
CVE-2020-1734 affects the ansible pipe lookup plugin, where subprocess.Popen() with shell=True could allow an attacker to overwrite ansible facts and run arbitrary commands. The public advisories in connected documents confirm this issue and show mitigations in openSUSE/SUSE updates (e.g., ansibl...
[ASA-202002-13] opensmtpd: arbitrary command execution
Arch Linux Security Advisory ASA-202002-13 ========================================== Severity: Critical Date : 2020-02-29 CVE-ID : CVE-2020-8794 Package : opensmtpd Type : arbitrary command execution Remote : Yes Link : https://security.archlinux.org/AVG-1105 Summary ======= The package opensmtp...
CVE-2019-10803
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.jsL139". This could be abused by an attacker to inject arbitrary commands...
CVE-2019-10801
enpeem through 2.2.0 allows execution of arbitrary commands. The "options.dir" argument is provided to the "exec" function without any sanitization...
CVE-2019-10802
giting version prior to 0.0.8 allows execution of arbritary commands. The first argument "repo" of function "pull" is executed by the package without any validation...
CVE-2019-10803
CVE-2019-10803 affects push-dir up to version 0.4.1, enabling OS command injection via unsafely passed argument opt.branch to the git command in index.js (line ~139). Connected sources (Red Hat, OSV, Snyk, Veracode, GHSA) consistently describe arbitrary command execution stemming from lack of val...
Sandbox Escape
Overview safe-eval is a Safer version of eval Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine. POC by Anirudh Anand for node 12.13.0 const safeEval = require'safe-eval'; const theFunction = function...